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Abstract 

We consider coGapSV P^/ji, a gap version of the shortest vector in a lattice problem. This problem is 
known to be in AM n coNP but is not known to be in NP or in MA. We prove that it lies inside QMA, 
the quantum analogue of NP. This is the first non-trivial upper bound on the quantum complexity of a 
lattice problem. 

The proof relies on two novel ideas. First, we give a new characterization of QMA, called QMA+. 
Working with the QMA+ formulation allows us to circumvent a problem which arises commonly in the 
context of QMA: the prover might use entanglement between different copies of the same state in order 
to cheat. The second idea involves using estimations of autocorrelation functions for verification. We 
make the important observation that autocorrelation functions are positive definite functions and using 
properties of such functions we severely restrict the prover's possibility to cheat. We hope that these 
ideas will lead to further developments in the field. 

1 Introduction 

The field of quantum algorithms has witnessed several important results (e.g., |^ E3J El ) in the last 
decade, since the breakthrough discovery of Shor's quantum algorithm for factoring and discrete logarithm 
in 1994 |21| . Despite these important developments, two problems in particular had little progress in terms 
of quantum algorithms: graph isomorphism (GI), and gap versions of lattice problems such as the shortest 
vector in the lattice problem (GapSVP) and the closest vector in the lattice problem (GapCVP). 

To understand why these problems are interesting in the context of quantum computation, let us first 
recall their definitions and what is known about them classically. Graph isomorphism is the problem of 
deciding whether two given graphs can be permuted one to the other. It is known to be in NP D coAM [5] 
and therefore, it is not NP complete unless the polynomial hierarchy collapses. GapSVPpr n ) is the problem 
of deciding whether the shortest vector in a given n-dimensional lattice L is shorter than 1 or longer than 
(3(n). GapCVPp( n ) is the following problem: Given a lattice and a vector v, decide whether d(v,L) < 1 or 
d(v,L) > (3(n) where d(v,L) is the minimal distance between v and any point in L. Both problems have 
important cryptographic applications |16| . Regarding their complexity, it is easy to see that they both lie 
in NP for any (3(n) > 1. The results of Lagarias et al. imply that when (3(n) = f2(n), both problems 
are in coNP. For (3(n) = f2(yn/ log(n)) these lattice problems are not known to be in coNP but as 
shown in [7|, they are in coAM (and in fact in the class Statistical Zero Knowledge). This implies that for 
(3(n) = £l(-\J n/ log(n)) the problems are not NP complete unless the polynomial hierarchy collapses. 

The fact that the graph isomorphism problem and the two lattice problem with the above parameters 
are very unlikely to be NP complete, and that they possess a lot of structure, raised the hope that quantum 
computers might be able to solve them more efficiently than classical computers. Despite many attempts, so 
far all that is known in terms of the quantum complexity of these problems are reductions to problems for 

'School of Computer Science and Engineering, The Hebrew University, Jerusalem, Israel, doria@cs.huji.ac.il. Research 
supported by ISF grant 032-9738. 

^Institute for Advanced Study, Princeton, NJ. odedr@ias.edu. Research supported by NSF grant CCR-9987845. 



which quantum algorithms are also not known [21 1171 [5] , and negative results regarding possible approaches 
|1UH18| . Progress in designing an algorithm for one of these problems is the holy grail of quantum algorithmic 
theory. 

In light of the difficulty of finding efficient algorithms for these problems, a weaker question attracted 
attention: can any quantum upper bound be given on these problems, which does not follow trivially from the 
classical upper bounds? Regarding graph isomorphism, which is known to be in coAM, the natural question 
to ask is whether it is in coQMA, the quantum analog of coNP. It is more natural to speak in this context, and 
in the rest of the paper, about the complements of the problems we described, and so the question is whether 
the graph non-isomorphism (GNI) problem lies inside QMA. QMA can be viewed as the quantum analog 
of NP, and was recently studied in various papers [131 1241 HI 1121 12*2*| . Strictly speaking, QMA is actually 
the analog of Merlin Arthur, the probabilistic version of NP, since in the quantum world it is more natural 
to consider probabilistic classes. Attempts to prove that GNI is in QMA have so far failed. As for lattice 
problems, since NP C QMA, it follows from the classical result ^1] that if f3(n) — f2(n) the complements 
of the problems we described, namely coGapCVP and coGapSVP, lie in QMA. The interesting question, 
however, is whether these problems are still in QMA for lower gaps, such as (3(n) = fl(y/n). Notice that 
this does not follow from the classical results. 

1.1 Results 

In this paper we solve the question of containment in QMA for one of the aforementioned problems. This is 
the first non trivial quantum upper bound for a lattice problem. 

Theorem 1.1 The problem coGapSV P c ^i is in QMA for some constant c > 0. 

One of the new ideas in the proof of Theorem 11.11 is the important connection between quantum esti- 
mations of inner products, or autocorrelation estimates, and properties of positive definite functions. The 
technique of using positive definite functions to analyze quantum protocols is likely to prove useful in other 
contexts, due to its generality: the property of positive definiteness applies to autocorrelation functions over 
any group, and not only over K™ as in our case. 

Another important issue in the proof Theorem 11.11 is a problem that arises commonly in the analysis of 
QMA protocols. Namely, in certain situations, we would like to repeat a test on several copies of the witness 
but the prover might use entanglement between the copies in order to cheat. We circumvent this problem by 
giving a new characterization of QMA, named QMA+. We start by proving that indeed QMA = QMA+ 
and then, using this new characterization, we prove the soundness of our protocol. 

1.2 Open Questions 

Hopefully, both the new characterization of QMA and the new technique of verification using positive definite 
functions will help in proving that other important problems such as GNI and coGapCVP^ lie in QMA. 

In more generality, in this work we gain a better understanding of the class QMA and the techniques 
used to analyze it. We hope that this work will lead to an even better understanding of this important 
class. Understanding classical NP led to a few of the most important results in theoretical computer science, 
including PCP and hardness of approximation. A few indications that QMA is fundamental for quantum 
computation have already been given in Q][3]. 

Our results might also lead to progress in terms of quantum algorithms for lattice problems. In this 
context, it is interesting to consider Theorem 11.11 in light of a recent paper by Aharonov and Ta-Shma 
p?]. [2] showed that if the state we use as the quantum witness in the QMA protocol can be generated 
efficiently, it can be used to provide a BQP algorithm for the lattice problem. The result we present here 
shows that certain properties of the state of [2] can be verified efficiently, which might be a stepping stone 
towards understanding how to generate the state efficiently, thus providing an efficient algorithm for the 
lattice problem. 
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Finally, we mention that similar techniques to the one used in the proof of QMA = QMA+, might also 
prove useful in other contexts, for example for proving security of quantum cryptographic protocols. 

1.3 Outline of the Paper 

The paper starts with an overview of the proof. We continue with preliminaries in Section [21 The proof of 
Theorem ll.ll is obtained by combining three theorems. The proof of each of the theorems is independent and 
is presented in a separate section. First, in Section 21 we define the class QMA+ and show that it is equal 
to QMA. Then, in Section |S1 we show that coGapCVP' , a version of coGapCVP, is in QMA+. Finally, in 
Sectional we show that if coGapCVP' is in QMA then so is coGapSVP. 

2 Overview of the Proof 

Assume we are given a witness which we would like to verify. Usually, we apply a certain unitary transforma- 
tion and measure the output qubit. If the witness is correct, the outcome should be 1. Hence, we reject if the 
outcome is 0. Consider, however, a situation where our unitary transformation is such that for the correct 
witness the outcome is 1 with probability p, for some p > 0. Thus, it is natural to consider the following 
stronger test: we apply a unitary transformation and accept if the probability of measuring 1 is close to some 
number p. We call a verifier that performs such tests a super-verifier and denote the corresponding class by 
QMA+. Our first theorem is 

Theorem 2.1 QMA = QMA+ 

Showing that QMA is contained in QMA+ is easy; essentially, the super-verifier can say that the 
probability of measuring 1 should be close to p = 1. The other direction is more interesting. Given a 
super-verifier we can construct a verifier that accepts a witness which is composed of many copies of the 
original witness. The verifier can then apply the unitary transformation to each one of the copies and 
measure the results. Finally, it can compute the fraction of times 1 was measured and check if it is close to 
p. Indeed, if the prover does not cheat and sends many copies of the original witness we should measure 1 in 
around a p fraction of the measurements. However, it seems that the prover might be able to cheat by using 
entanglement between the different copies. Using the Markov inequality, we show that this is impossible. 

Next, we show 

Theorem 2.2 The problem coGapCV P' c ^ is in QMA+ for some constant c > 0. 

coGapCV P'ptn) i s a variant of coGapCV Pp( n ) where we are given the additional promise that the shortest 
vector in L is longer than 0(n). The proof of this theorem is very involved, but the idea is as follows. 

The correct quantum witness |£) for coGapCV P' , i.e., the witness in case v is far from the lattice, is 
defined as follows (a similar state appears in [2] which can be seen as the quantum analogue of the probability 
distribution of 7 ). Consider the 'probability distribution' obtained by choosing a random lattice point and 
adding to it a Gaussian of radius y/n. We define |£) as the superposition corresponding to this probability 
distribution. See Figure ^ Actually, the state |£) cannot be defined as above, since we cannot represent 
a point in R" with infinite precision, so we need to work over a very fine grid. Moreover, the number of 
grid points in R™ is infinite. Hence, we restrict the state to grid points inside the basic parallelepiped of the 
lattice. We will define this formally later; it is best to keep in mind the continuous picture. 

Given this superposition, for some constant c, solving coGapCV P' c ^ (and in fact also coGapCV P c ^) 
is easy: it is done by estimating the inner product of the above state with the same state shifted by v. If 
d(v, L) > Cy/n then the inner product is almost zero since the Gaussians and their shifted version do not 
intersect. If d(v,L) < 1, the inner product is large since the two states are almost the same. To show 
containment in QMA+, we will use this state as the correct witness. Hence, it remains to show how a 
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Figure 1: The quantum witness 



super-verifier can verify that the prover is not cheating. Cheating in this context means that d(v, L) < 1 but 
the prover claims that d(v, L) > C\fn and sends some witness which is not necessarily the correct witness. 

We now define the verification process. Define h(x) to be the real part of the inner product of the given 
witness state with itself shifted by x. We call h the autocorrelation function of the witness. It is a function 
from K n to M such that h(0) — 1. We define g to be the same, for the correct witness An important 
property of h is that for any x, there exists a quantum circuit whose probability of outputting 1 is directly 
related to h(x). Hence, since a super- verifier can check the probability of outputting 1, it can effectively check 
that h(x) is close to some value. Since we expect to see the correct witness, we construct a super- verifier that 
checks that h(x) is close to g{x) for some vectors x. More precisely, with probability half the super-verifier 
chooses the vector v and otherwise it randomly chooses a polynomially short vector. 

In order to complete the description of the super- verifier, we have to show that it can compute g(x) for the 
points chosen above. Later in the paper we analyze the function g and it turns out to have a familiar form: 
it is very close to a periodic Gaussian, like the one shown in Figure Therefore, g(v) is approximately 
zero since v is far from the lattice and g(x) for short vectors x has the form e - " 2 " . In both cases, the 
super- verifier knows the value of g and can therefore perform the verification procedure described above. We 
remark that analyzing g involves some technical calculations; It is here that we need the assumption that 
the shortest vector in the lattice is large, so that the Gaussians are well separated and do not interfere with 
each other. 

The proof of soundness of this test uses the observation that autocorrelation functions are necessarily 
positive definite. A function / is positive definite (PD) if for any k > 1 and any k points x±, . . . ,Xk S R™, 
the k x k matrix M defined by M^j = f{Xi — Xj) is positive semidefinite. Notice that no matter what witness 
the prover gives, the function h must be PD since it is an autocorrelation function. We will complete the 
proof by showing that no PD h exists which passes the above test if d(v, L) < 1/3, i.e., no PD function exists 
which is both close to at a vector v whose distance to L is at most 1/3, and also close to a Gaussian at 
many randomly chosen points polynomially close to the origin. 

Why doesn't such a PD function exist? Intuitively, our proof relies on certain non-local behaviors of 
positive definite functions. Namely, we will show that changing the value of a PD function at even one point 
affects the function at many other points. We assume that h(v) is close to and d(v, L) < 1/3. Let w be a 
point which is equal to v modulo the lattice (i.e., w — v € L) such that ||io|| < 1/3. Such a point exists since 
d(v, L) < 1/3. As we will see later, we can guarantee that h is periodic on the lattice and hence h(w) = h(v) 
is close to 0. We start with a simple property of positive definite functions which can be obtained from using 
3x3 matrices in the definition: if h(w) is close to then h(w/2) is at most 3/4 and similarly, h(w/4) is 
at most 15/16. By repeating the argument we derive an upper bound on h(y) where y = w/2 k for some 
k > 0. The point y is polynomially close to the origin and the upper bound is much smaller than the correct 
Gaussian value, g(y). This shows that the super- verifier can detect a cheating prover by choosing the point y. 
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However, the super-verifier does not know where v is relative to the lattice and therefore he cannot compute 
w or y. The probability that our randomly chosen point happens to be y is negligible. 

Thus, we will have to derive stronger properties of the function h. These will be obtained by considering 
the positive definite condition with 4x4 matrices. Essentially, we will show that for any point x which is 
almost orthogonal to y, it cannot be that h(x), h(x + y) and h(x — y) are all close to their correct values 
g(x), g(x + y), g(x — y). This means that one of the points in the triple x, x + y, x — y is such that the verifier 
detects a cheating prover by choosing it. Using the fact that y was chosen to be polynomially short, we will 
argue that all three points in a triple have roughly the same probability to be chosen by the verifier. Hence, 
a cheating prover is caught with non-negligible probability, and the soundness of the protocol follows. 

Curiously, it seems essential in our proof to use Gaussians and not spheres. This is unlike the classical 
proof of [7| that seems to work both with spheres and with Gaussians. Essentially, the difference between the 
two distributions is in the behavior of their autocorrelation functions. For Gaussians, the autocorrelation 
with a short vector x behaves like h{x) ~ 1 - ci||x|| 2 while for spheres it behaves like h(x) w 1 — C2||x|| 
where ci,C2 are some constants. In the proof, using properties of positive definite functions obtained from 
4x4 matrices, we obtain an upper bound of the form h(x) < 1 — c'||x|| 2 for some constant d > c%. This 
yields a contradiction since I — c'||ir|| 2 < I — ci||.t|| 2 . However, if we used spheres, we would not obtain any 
contradiction since 1 — c'||a;|| 2 > I — C2||x|| for short vectors x. 

To complete the proof of Theorem ll.il we need the final theorem: 

Theorem 2.3 For any (3 = (3{n) > 1, if coGapCVPp is in QMA then so is coGapSVPp. 

The proof of this theorem uses an idea similar to 9 . Essentially, an instance of coGapSV Pp can be 
translated into n instances of coGapCVPL If there is no short vector in the original lattice then in all the 
CVP instances the target vector is far from the lattice. Otherwise, if there exists a short vector then in at 
least one of the CVP instances, the target vector is close to the lattice. Based on this idea, we construct a 
quantum verifier for coGapSV Pp . The witness it expects to see is a concatenation of the n witnesses of the 
corresponding coGapCV P'p problems. It applies a coGapCV P'p verifier to each one of the copies and accepts 
if and only if they all accept. 

3 Preliminaries 

3.1 Definitions 

For ael, define n{a) as e - *"" 2 . For any x € R™, we will often denote ^(IMI) by fi(x). Let B n denote the 
n-dimensional unit ball and let uj n denote its volume. For a vector x £ K™ let x* 1 denote the n— 1 dimensional 
subspace orthogonal to x. For a vector x £ 1" and a subspace S let Ps(x) denote the projection of x on the 
subspace S. We will slightly abuse notation by denoting the projection of x on the subspace spanned by a 
vector v as P v (x). 

3.2 Lattices 

For an introduction to lattices, see [EJ. A lattice in R™ is defined as the set of all integer combinations of n 
linearly independent vectors. This set of vectors is known as a basis of the lattice and is not unique. Given 
a basis (v±, . . . , v n ) of a lattice L, the fundamental parallelepiped is defined as 



When the basis is clear from the context we will use the notation V(L) instead of V{v\, . . . , v n ). Note that 
a lattice has a different fundamental parallelepiped for each possible basis. For a point x G K™ we define 
d(x, L) as the minimum of ||x — y\\ over all y G L. 
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For a lattice L = (vi, . . . , v n ) and a point x G R™ we define x mod L as the unique point y £ V{y\ , . . . , v n ) 
such that y — x is an integer combination of Vi, . . . ,v n (see, e.g., ^Hl)- Notice that a function / : V{V) — ► C 
can be naturally extended to a function /' : W 1 — » C by defining /'(a;) := /(a; mod L). We will often refer 
to values of functions outside of V(L), in which case we mean the periodicity above. We will also use, for 
technical proofs, the notion of a Voronoi cell of L, denoted Vor(L), which is the set of all points in R™ 
which are closer to the origin than to any other lattice point. In addition, tl(x) denotes the unique point 
y £ Vor(L) such that y — x £ L. Notice that ||tl(x)|| = d(x, L). 

3.3 Shortest and Closest Vector in a lattice 

The shortest (non-zero) vector of L is the vector x £ L, such that ^ and is minimal. The following is 
the gap version of the shortest vector problem: 

Definition 3.1 (coGapSVP) For any gap parameter j3 = (3{n) the promise problem coGapSV Pp is defined 
as follows. The input is a basis for a lattice L. It is a YES instance if the length of the shortest vector is 
more than [3. It is a NO instance if the length of the shortest vector is at most 1. 

We also define the gap version of the closest vector problem and a non-standard variant of it which will 
be used in this paper: 

Definition 3.2 (coGapCVP) For any gap parameter (3 — (3{n) the promise problem coGapCV Pp is de- 
fined as follows. The input is a basis for a lattice L and a vector v. It is a YES instance if d(v,L) > [3. It 
is a NO instance if d(v,L) < 1. 

Definition 3.3 (coGapCVP') For any gap parameter (3 — (3{n) the promise problem coGapCV Pp is de- 
fined as follows. The input is a basis for a lattice L and a vector v. It is a YES instance if d(v, L) > (3 and 
the shortest vector in L is of length at least (3. It is a NO instance if d(v, L) < 1. 

Each vector in the input basis v%, . . . , v n is given with polynomially many bits. Without loss of generality, 
we assume that the target vector v is given to us in the form ^ aiVi where each < < 1 is represented 
by at most I = poly(n) bits. 

3.4 Quantum NP 

We are interested in the quantum analog of the class NP. For an introduction to this class, the reader is 
referred to a recent survey by Aharonov and Naveh and to a book by Kitaev, Shen and Vyalyi |13j . 
Strictly speaking, this class is the quantum analogue of MA, the probabilistic version of NP, and so it is 
denoted QMA. It is also sometimes denoted BQNP |13| . 

Definition 3.4 (QMA) A language L £ QMA if there exists a quantum polynomial time verifier V , poly- 
nomials p, q, and efficiently computable functions c, s, such that: 

t VieL 3p tr(II |x >V>V' t ) > c(|^) 

. Nxi L Vp tv^VpV^) < s(±), 

and the p's are density matrices of p(\x\) qubits. 
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3.5 Positive Definite Functions 

Definition 3.5 A k x k matrix M is positive semidefinite (PSD) if it is Hermitian and for any vector 



The requirement that M is Hermitian is redundant since this is already implied by the requirement that 
ro'Mw is real for all w G C fe . The next two claims list some simple properties of positive semidefinite 
matrices. 

Claim 3.6 Let M, M' denote two positive semidefinite matrices. Then the following matrices are also pos- 
itive semidefinite: cM , M + M' , M* and Re(M) where c > is real and Re{M) is the matrix obtained by 
taking the real part of every entry of M. 

Proof: Clearly, all four matrices are Hermitian. Let w be any vector in C fc . Then, w^cMw = cw^Mw > 
and wHM + M')w = wHlw + wHl'w > 0. Also, w^M*w = ((w*y Mw*)* > 0. Finally, Re(M) = 
(M + M*)/2 which is positive semidefinite according to the previous cases. ■ 

Claim 3.7 The determinant of a positive semidefinite matrix M is non-negative. 

Proof: Since M is Hermitian, it can be diagonalized with orthogonal eigenvectors and real eigenvalues. 
Moreover, since it is positive semidefinite, its eigenvalues are non-negative. Hence, the determinant of M, 
which is the product of its eigenvalues, is non-negative. ■ 

Next, we define a positive definite function over an arbitrary group E. In this paper, E will always be a 
grid in R", i.e., a discrete additive subgroup of W 1 . 

Definition 3.8 Let E be a group. A function g : E — > C is positive definite (PD) if for any integer k > I 
and any set of group elements Xi, . . . , Xk € E, the k by k matrix M defined by Mij — g(xi — Xj) is positive 
semidefinite. 

The following two corollaries follow directly from Definition 13.81 and Claims 13.61 13.71 

Corollary 3.9 Let g,g' be two positive definite functions. Then the following functions are also positive 
definite: c ■ g, g + g' ', Re(g) where c > is real. 

Corollary 3.10 Let g : E — > C be a positive definite function for some group E. Then, for any integer 
k > 1 and any set of group elements X\, . . . ,Xk £ E, the k by k matrix M defined by Mij — g{xi — Xj) has 
a non-negative determinant. 

Using Corollarv l3.1Ul we derive the following two useful lemmas. These lemmas describe known properties 
of positive definite functions (see, e.g., [1^11^0] '). 

Lemma 3.11 Let g : E — ► R be a real positive definite function such that g(0) = 1. Then for any x G E, 
g( x ) = 9{~ x ) and \g( x )\ < !• 

Proof: Choose k — 2 in Definition 13 .81 and choose and x as the two group elements. Then, 



w E C k , vrMw is real and non-negative. 




is positive semidefinite. Hence, M is Hermitian and g(x) = (g(—x))* = g(—x). Moreover, 



< \M\ 



g(x) i 



1 - (9(x)f 



Therefore 



\g{x)\ < !• 
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Lemma 3.12 Let g : E — > R be a real positive definite function such that g(0) = 1. Then, for any x G E 
such that x/2 <E E exists, g(x/2) < y/(l+g(x))/2 < (g(x) + 3)/4. 

Proof: Choose k — 3 in Definition 13.81 and choose 0, x and x/2 as the three group elements. Let b denote 
g(x) and a denote g{x/2) = g(—x/2). Then, 



< 



16a 
6 1a 
a a 1 



= 1 - a 2 - 6(6 - a 2 ) + a(6a - a) = (1 - 6)(1 + 6 - 2a 2 ). 



According to Lemma f3. Ill 6 < 1. Hence we have 1 + 6 — 2a 2 > which implies 

a< v/(l + 6)/2<^. 



3.6 Autocorrelation and Positive Definite Functions 

The following claim shows the important fact that autocorrelation functions are always positive definite. 

Claim 3.13 Let f be a function from a group E to the complex numbers, and let h be its autocorrelation 
function defined by h(x) := X)yG-E f*{v)f(v + x )- Then h is a positive definite function. 

Proof: Let k > 1 and x\, . . . ,Xk € E be arbitrary and consider the k x k matrix M defined by Mi.j = 
h(xi — Xj). According to Definition 13.81 it is enough to show that M is PSD. For any vector w 6 C fc , 



Mw = 



k k 

h ( Xi ~ x i) w * w i = f*(y)f(y + Xi- Xj)w*Wj 

i,j=l i,j=ly£E 

k k k 

Y Y f*(y- x i)f(y~ x j) w * w 3 = Y(Yf*( y ~ Xi ) w i}(Yf( y ~ x ^ w i) 

i,j=lyeE y£E i=l j=l 

2 



Y 

yeE 



Yf(y 



Xi)W t 



i=l 



> 



4 QMA+ 

A "super- verifier" is given by a classical polynomial-time randomized algorithm that given an input x outputs 
a description of a quantum circuit V and two numbers r,s £ [0,1]. This can be thought of as follows. Assume 
that we are given a witness described by a density matrix p. Then, consider tr(n' 1 ^ VpV^) where II' 1 ^ is the 
projection on the space where the output qubit of V is |1) (this is equal to the probability of measuring an 
output qubit of |1)). Then, r represents an estimate of this value and s is the accuracy of the estimate. 

Definition 4.1 (QMA+) A language L 6 QMA+ if there exists a super-verifier and polynomials Pi,P2>P3 
such that: 

. VieL 3p PT V ^ s (\tr(U^VpV^)-r\<s) = 1 

(i.e., there exists a witness such that with probability 1 the super-verifier outputs V which accepts the 
witness with probability which is close to r) 
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• VxfL Vp PT V ,r,s{\tr(U^VpV^-r\ < s+p 3 {l/\x\)) < 1 — pa(l/|ar|) 

(i.e., for any witness, with some non-negligible probability, the super-verifier outputs a circuit V that 
accepts the witness with probability which is not close to r) 

where probabilities are taken over the outputs V, r, s of the super-verifier and p is a density matrix over p\{\x\) 
qubits. 

In the rest of this section we prove Theorem 12.11 We note that for simplicity we defined QMA+ with 
perfect completeness in the YES case; the same theorem holds also with non-perfect completeness. 

The following lemma proves the easy direction of the theorem. It will not be used in this paper and is 
presented here mainly for the sake of completeness. 

Lemma 4.2 QMA C QMA+ 

Proof: Note that using amplification |T3], any language in QMA has a verifier with completeness c > 7/8 and 
soundness s < 1/8. Given such a verifier V , construct a super-verifier that simply outputs (V, r = 1, s = 1/2). 
This satisfies the definition of QMA+, using p3(|x|) =p2(M) = 1/4, for example. ■ 

We now prove the more interesting direction: 

Theorem 4.3 QMA+ C QMA 

Proof: Given a super- verifier for a language L £ QMA+ with polynomials p\,p2,p 3 , we construct a QMA 
verifier V' for L. Let k — poly(\x\) be a large enough parameter to be determined later. The witness given 
to V consists of k ■ pi(\x\) qubits which can be thought of as k registers of pi(|a;|) qubits each. Given an 
input x, the verifier V starts by calling the super-verifier with the input x. The result is a description of a 
circuit V and numbers r, s S [0, 1]. Next, V applies V to each of the k registers and measures the results. 
Let r' denote the number of Is measured divided by k. V accepts if \r' — r\ < s + ^p 3 (l/\x\) and rejects 
otherwise. 

Completeness: Let x £ L and let p be as in Definition 14.11 The witness for V' will be p® k . Note that the 
probability to measure 1 in each register is tv(Jv l >V pV^). Let us denote this probability by py and let us 
choose k = n/(p 3 (l/\x\)) 2 . Then, according to the Chernoff bound, the probability that \r'— py\ > ^P3(l/|x|) 
is at most 2e^ 2ki - P3 ^ 1 /' [X ^/ 2 ^ — 2 _sl ( n ). By Definition 14.11 the triples (V,r,s) given by the super-verifier are 
such that \pv — r| < s and 

\r' -r\< \r' -p v \ + \p v - r| < ^(VM) + s 
which implies that V accepts with probability exponentially close to 1. 

Soundness: It suffices to show that if x ^ L then V rejects with probability at least ip2(l/M)P3(l/M) 
(which is polynomiaUy bounded from 0). Essentially, the reasoning is based on a Markov argument, as we 
will see shortly. 

Let \rj) be any witness for V . We first define a witness p for the circuits V that the super-verifier outputs. 
Let rji be the reduced density matrix of r\ to the i'th register, and let p to be the average of the reduced 
density matrices: p — \ ^Zi=\ r li- For an output of the super-verifier (V,r, s) we again let pv denote the 
probability to measure 1 given p, namely pv — tr(n' 1 ^ VpV^). We observe that 

Claim 4.4 For a fixed witness \rj) and a fixed circuit V , the expectation of the random variable r' is py . 

Proof: The random variable r' is the average of k indicator variables. The expected value of the i'th 
indicator variable is ti^^Vr/iV^). Therefore, using linearity of expectation, the expected value of r' is 

\Y,^ 1) VmV^)=Pv. ■ 
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According to Definition PTTl with probability at least p2(l/M), (Vi r i s ) is such that \pv~- t\ > s+ps(l/\x\). 
Then, it is enough to show that for such triples (V,r,s), V rejects with probability at least ( 1/ 1 a; | ) . So, 
in the following fix one such triple (V, r, s). Using Claim EQ1 we obtain that the expected value of r' is either 
less than r — s — ps(l/\x\) or more than r + s + ps(l/\x\). We now use a Markov argument; In the first case, 
since r' is a non- negative random variable, the probability that it is more than r — s — (1 / 1^| ) (so that 
V' may accept) is at most 

-"^/M) <i-ip 3 (i/M). 



r- s -l P3 (l/\x\)- 2 1 

Similarly, for the second case, consider the non- negative random variable 1 — r' . The probability that it is 
greater than 1 — (r + s + hps(l/\x\)) is at most 

l-(r + - + p,(l/M)) l p 



r + a + hp 3 (l/\x\))- r 



5 coGapCVP' is in QMA+ 

In this section we prove Theorem 12. 21 Recall that an input to coGapCV P' c ^ is a pair (L,v). By choosing a 
large enough constant c and scaling we can assume that in YES instances, d(v, L) > 10y/n and the shortest 
vector in L is of length at least 10-^71 and that in NO instances d(v, L) < 1/3. 



5.1 The Quantum Witness 

In the case of a YES instance, the prover provides a quantum state that represents a Gaussian distribution 
around the lattice points. We will use the periodicity of the lattice and present our state as a superposition 
over points inside the parallelepiped V(L). 

We would have liked to consider the superposition over all points in the parallelepiped V(L) with weights 
that depend on the distance to the lattice: 

xeV(L) | d{x,L)<2^/n 

However, this state is ill defined since the register contains points in K™, which we need infinite precision in 
order to represent. We will therefore discretize space, and consider points on a very fine lattice G. In order 
to prevent confusion, we will refer to G as a 'grid' and not a lattice. We discuss this in the following. 

Discretization Issues: The grid G is obtained by scaling down the lattice L — (v\, . . . , v n ) by a factor 
of 2 m for some m > 0. Formally, G is the set of all integer combinations of the vectors Vi/2 m where 
m < poly(n) is chosen such that the following requirements are satisfied: 

• The diameter of one parallelepiped of G, dia,m(V (G)) , is at most 2~™ , and 

• m > £ + n where I was defined as the precision in which v is given. 

Note that we can choose m to be polynomial in n because diam^T^G)) = dia,m('P(L))/2 m < J^. \vi\/2 m . 

To store a vector in V{L) D G in the quantum register, we store its coefficients in terms of the basis 
vectors Vi. Each coefficient is a number of the form j/2 m for < j < 2 m and so we need m bits to 
store j. Since we need n coefficients, the register consists of nm — poly(n) qubits. 

The formal definition of the witness is: 
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|0 = E f{x)\x) 
xeV(L)nG 



where 

m- 

and D is a normalization factor chosen so that 



y/n{T L {x))/D d{x, L) < 2^h~, 
otherwise. 



E (/(*)) a = i- 

5.2 Autocorrelation tests 

Our verification process is based on autocorrelation tests which we define in the following. 

Definition 5.1 For x e G, T x is defined to be the bijection at-^> a — x mod V(L) from V{L) n G into itself. 

Definition 5.2 The function g : G — > K is defined as g(x) = Re(({;\T x \t;)) . 

Note that g(x) is equal to 

v eV(L)nG 

Definition 5.3 (Autocorrelation circuit with respect to x) For any x E G define the circuit C x as 
follows. Given an input register, add one qubit (called the control qubit) in the state ^(|0) + |1)). Then 
apply T x to the register conditioned that the control qubit is 1, and otherwise do nothing. Finally, apply the 
Hadamard matrix H on the control qubit. The control qubit is the output qubit. 

Claim 5.4 Given a pure state \rj), the probability of measuring 1 after applying C x is (1 — Re((r]\T x \r])))/2. 

Proof: After adding the control qubit to \t]), the state is -^(|0)|r/) + |l)|fy))- After performing a conditioned 
T x , the state is -^(|0)|r;) + ll)^^)). Finally, after the Hadamard transform, the state is 

I(|0)(|, 7 )+T x |r ? )) + |l)(|r ? )-T x |r ? ))). 
The probability of measuring 1 is therefore 

\{{ri\ - WTlm - T x \r,)) = 1(1 - ReMT x \r,))). 

■ 

The next lemma provides a good approximation to g(x): 
Lemma 5.5 Let L be a lattice whose shortest vector is of length at least 10y/n. Then, for any x E G, 

\g{x)-n{T L {x)/2)\<2-^\ 
Proof: The proof is fairly complicated technically, and we delay it to the appendix. ■ 
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5.3 The super- verifier 



The super-verifier randomly chooses one of the following two cases: 

• Autocorrelation with respect to v 

Output the circuit C v , together with r = 1/2 and s = n~ 100 . 

• Autocorrelation with respect to short vectors 

Let B' denote the ball of radius n~ 10 + rt~ n around the origin. Choose a vector x £ B' n G from the 
uniform distribution over B' n G. Let x' be either x or 2x with equal probability. Output the circuit 
C x >, together with r = (1 - fj,(x' /2))/2 and s = n" 100 . 



5.4 Efficiency of the verifier 

The verifier works on points in V{L) n G. Note that the map on«-i mod V(L) for x £ V(L) n G is well 
defined and is a bijection on V{L) (1 G, and so is its inverse. This means that these maps can be applied 
efficiently by a quantum computer. This follows from a basic result in quantum computation, which states 
that if U and its inverse can be applied efficiently classically, then they can be applied efficiently and without 
garbage bits by a quantum computer 13 . 

Next, we describe a procedure that picks a point uniformly at random from B' D G. First, pick a point 
z £ l n uniformly from the ball (n -10 + nT 11 + n~ 20 )B n . Represent it as a combination of the basis vectors 
Vi, v n . Then, let x £ G be the point obtained by rounding the coefficients of z down to multiples of 2~ m . 
If x £ B' then output x. Otherwise, repeat the procedure again. 

The probability of outputting each x £ B' n G is proportional to the probability that z is in x + V(G). 
Since diam^ (G)) < n~ 20 , x + V(G) C (n~ 10 + nT 11 + nT 2a )B n and therefore the above probability is 
proportional to the volume of 7 , (G). This volume is the same for all x and hence the output is indeed 
uniform over B' n G. The procedure has to be repeated when x $ B' . This can only happen if ||z|| > 
n~ 10 + ri~ n - diam(:P(G)) > n~ 10 + ri~ n - n~ 20 . But the probability of this is at most 

, - (°-" + "-"-°-^" = 1 - fl - 2 ,„ ^ Y <!-(!- 2„-)" < 2„-» 

and therefore the procedure stops after a polynomial number of steps with probability exponentially close 
to 1. Finally, we note that we cannot really choose a uniform point z in the ball since its representation is 
not finite; this can be easily fixed by choosing an approximation to z and then arguing that the distance of 
the output distribution from the uniform distribution on B' n G is exponentially small. 



5.5 Completeness 

Claim 5.6 Let L be a lattice whose shortest vector is of length at least and v a vector such that 

d(v,L) > 10y/n. Then, given the witness |£) described in Section l5.il the super-verifier outputs triples 
(V,r,s) such that |tr(lll 1 >y|0(£|^ t ) ~r\ < s. 

Proof: First assume that the super- verifier outputs C v . By Lemma 15.51 g(v) is exponentially small and 
therefore, using ClaimlS"! tr^l 1 >V|£) (f|Vt) = (l-g( v ))/2 is in the range [i-n^ 100 , i + n" 100 ]. Otherwise, 
the super- verifier outputs a circuit C x i for some short vector x' . Notice that d(x' , L) = \\x'\\. since the lattice 
has no short vectors. By Lemma f5. 51 g(x') is exponentially close to fi(x'/2) and hence tr(nl 1 ^"V A |^) (^|V^) is 
exponentially close to (1 — fj,(x' /2))/2. ■ 
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5.6 Soundness 

Theorem 5.7 Let L be a lattice and v be a vector such that d(v, L) < 1/3. Then, given any witness p, with 
probability at least n~ 1000 , the super-verifier outputs triples (V,r,s) such that ^(U^VpV^) — r\ > s. 

Proof: We will need the following definitions: 

Definition 5.8 We say x is "good" for a real function h if \h(x) — p(x/2)\ < 2n~ 100 and \h(2x) — fi(x)\ < 
2 n -ioo Otherwise, we say x is "bad" for h. 

Definition 5.9 We say that h is e-Gaussian approximating on the set A if all except at most e fraction of 
the vectors in A are good for h. 

The idea of the proof is as follows. Let p be any witness and assume by contradiction that d(v, L) < 1/3 
and that with probability at least 1 — n~ 1000 the super- verifier outputs (V, r, s) such that |tr(fll 1 ^ VpV^) — r\ < 
s. We use p to define a PD function h, and show that by the conditions of the theorem \h(v)\ < 2n~ 100 and 
that h is n _200 -Gaussian approximating on B' n G. We then show that such a PD function doesn't exist, if 
d(v,L) < 1/3, which derives a contradiction. 

Definition of h: We can write p as p = J2 i Wi\aii)(ai\ for some weights Wi and pure states |o,). Also, 
write \oti) = J2 y£ v(L)nG 0i(y)\v) f° r some /3j : V{L) nG->C. This form of |a<) is without loss of generality, 
because by our choice of the number of qubits in the register, and by the definition of G, each possible basis 
state represents a point in V(V) n G. Define the functions hi : G — > C, 

hi{x) = {ai\T x \ ai ) = J2 &t(y)Hv + x mod V{L)). 
y eV{L)nG 

We let h : G -> E be the function 

h(x) = WjRe(hj(x)). 

i 

Claim 5.10 h is PD. 

Proof: According to Corollarv l3.9l it is enough to show that the hi's are positive definite. This follows from 
Claim l3~T3l using the group of points in V(L) D G with addition modulo V(L). ■ 

Claim 5.11 \h(v)\ < 2 n - im . 

Proof: The super- verifier outputs the triple (C v , h, n~ 10Q ) with probability half. By the assumption of the 
theorem we thus know that 

MnMc vP cl)-±\<n- loa . (1) 

Note that by Claim [531 for any x £ G, 

tr(U^C xP Cl) =Y, w iV ~ Re(hi(x)))/2 = (1 - h(x))/2. (2) 

i 

Substituting equation J2J in and multiplying by 2 we get, 

\h(v)\ < 2n,- loa . 



Claim 5.12 h is n 200 -Gaussian approximating on the set B 1 C\G. 
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Proof: The super-verifier outputs a triple of the form (C x /, (1 — fi(x' /2))/2,n 10 °) with probability half. 
Hence, with probability at least 1 — 2n -1000 

MU^C x , P Cl) - (1 - n(x'/2))/2\ < n- wa (3) 

where the probability is taken on the choice of x' by the super- verifier. Substituting equation @ in equation 
(|3"|) and multiplying by 2, we get: 

\h(x') - n{x'/2)\ <2n- 100 . 

Recall that x' is chosen in two steps: we first choose x e B' n G and then choose x' to be either x or 2x. 
Hence, with probability at least 1 — 4n -1000 over the choice of x, both 

\h(x) - m(x/2)| <2n- 100 

and 

\h{2x) -fj,(x) | < 2n~ lm 

hold. Hence, h is n~ 200 -Gaussian approximating on the set B' G. ■ 

We obtain a contradiction by using the following lemma with w = tl (v) . Recall that the coefficients of v 
in the lattice basis are multiples of 2~ £ . This implies that tl(v) can be represented as an integer combination 
of the vectors Vi/2 e . Since m was chosen to be at least I + n, w/2 n e G. The proof of the lemma appears 
in the next section. 

Lemma 5.13 Let w G G such that w/2 n is also in G and \\w\\ < 1/3. Then, there is no positive definite 
function h, h(0) = 1, which is n~ 200 -Gaussian approximating on B' C\G and \h{w)\ < 2n~ lm . 



5.7 Proof of Lemma 15.131 No such PD function 

Proof: (Of Lcmma l5.13f) Assume by contradiction that h is a positive definite function, that \h(w) \ < 2n~ 100 
and that h is n~ 200 -Gaussian approximating on B' n G. We will derive a contradiction in two steps. First, 
we will find a short vector y in iw's direction such that h(y) is much lower than the Gaussian value of fi(y/2). 
This is done using the upper bound on |/i(u>)| and "pulling" it towards the origin using the PD conditions. 
We will then apply a lemma that shows that the same deviation from the Gaussian occurs everywhere and 
not only in iu's direction. 

Definition 5.14 Define y = w/2 k , where k > is the minimal integer such that \\y\\ < 2n~ 12 . 

Notice that if k ^ then \\y\\ > rT 12 . Hence, using ||w|| < 1/3, we get that k < log(n 12 /3). 
Claim 5.15 y e G. 

Proof: Since k < n, y is an integer multiple of w/2 n and is therefore in G. ■ 

The Gaussian at y, /j,(y/2), can be approximated by 1 — j \\y\\ 2 which is at least 1 — ^4n~ 24 = 1 — im~ 2A . 
The following claim shows that h(y) is strictly less than the Gaussian at y: 

Claim 5.16 Let h be PD such that h(0) = 1, h(w) < n~ loa and \\w\\ < 1/3. Then h(y) < 1 - Sn" 24 . 

Proof: Lemma T3.12I using w, w/2, shows that h(w/2) < 3+2 " — —. Applying Lemma Til 21 again gives 
h(w/4) < 15+2 " 6 W \ and applying it k times gives h(y) = h(w/2 k ) < 1 - 1 ~ 2 ^ k W ° . Since fc < log(n 12 /3), we 
have%)<l-i-f^<l- 1 -^<l-5n- 24 . " ■ 
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To derive a contradiction, we will use the following claim: 



Claim 5.17 Let h be PD such that h(0) = 1 and h(y) < 1 — 5n~ 24 for some \\y\\ < 2n~ 12 . Let z e G be 
such that \\P y (z)\\ < 1/n 100 and \\\P y -i-(z)\\ — n~ w \ < n~ lm . Then at least one of the vectors z, z — y, z + y 
is bad for h. 

Proof: The proof uses the PD condition with 4x4 matrices. It is quite technical, and is delayed to the 
appendix. ■ 

We want to show that in the verifier's second test, it has a non negligible chance of picking x which is 
equal to one of the vectors of the form z, z + y, z — y satisfying the requirements in Claim I?. 171 This would 
mean it has a good chance of catching a "bad" vector, as we will see later. For this we define: 

Ax = {ze R" | |||P y x(«)|| - n- 10 | < n- 10Q and \\P y (z)\\ < n' 100 } 
A 2 = A x +y 
A 3 = A x - y 



Claim 5.18 A U A 2 ,A 3 C B' 

Proof: By the triangle inequality, the norm of a vector in Ai,A 2 or A 3 is at most n~ w + 2n~ 100 + 2n~ , 
because ||y|| < 2n -12 . Hence, its norm is less than n~ 10 + n~ n , the radius of B 1 . ■ 

Claim 5.19 Let x be chosen uniformly at random from B' PI G. The probability for x to be in Aid G is at 
least n- 180 /10, for all i = l,2, 3. 

Proof: First notice that |AinG| = l^flGI = n G| and they are all subsets of B' . Hence, the probability 
that x is Ai n G is the same for i = 1,2,3. Therefore, in the following it will be enough to consider the set 
Ai. Let 

A= {zeW 1 | |||P v x(«)|| -n" 10 | < n- wo /2 and \\P y (z)\\ < n - 100 /2} 

be a subset of Ay. Notice that since diam("P(G)) was chosen to be very small, any point z £ G such that 
(z + V(G)) n A 7^ cj) must satisfy z G A\, Similarly, if we define B as the ball of radius n~ 10 + 2n -11 then 
any point z £ G such that [z + "P(G)) D B' ^ (j> must satisfy z £ B. Hence we obtain, 

\Ai n G| vol(i)/vol(7 ? (G)) _ vol(i) 
\B' n G| - vol(S)/vol(P(G)) ~ vol(B) ' 

We now lower bound this ratio of volumes. Recall that the volume of an n dimensional ball around the 
origin of radius R is co n R n where io n is the volume of the unit n-ball. 

vol(i) = 





n~ 


100 




((n 


-io . 


h fl -™/2)"- 1 


— (n 


w -n- wo /2) n - 


- 1 ) 


> 


n~ 


-100 


' w n _l ■ 


■ (n~ 


10 _ 


n -100 /2) n-l . 


((1 + 


n -90jn-l _ X ) 




> 


n~ 


-100 


• w n -l 


■{n 


10 _ 


n -ioo/ 2 )»-i . 


n~ 90 . 







Using vol(B) = uj n ■ (n^ 10 + 2 n - 11 ) n 



vol(A) > n _ 19Q w n _! (n- 10 - n- 100 /2Y 



vol(B) ~ u n (n- 10 + 2n- 11 )« 

> n -i8Q . ^zi . ilz »" 9 °/2r- 1 > n -i80 /10 

where in the last inequality we used u) n -i/u> n — f2(y / n) > 1. 
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Claim 5.20 h is not n 200 -Gaussian approximating on B' n G. 

Proof: For any x £ A\ n G, consider the triple x,x + y,x — y and notice that x + y 6 A 2 n G, x — y £ A3 D G. 
By Claim |5~T71 at least one point in each triple is bad for h. Hence, at least a third of the points in one of 
the sets A\ <~) G, A 2 <~) G, A 3 <~) G are bad for h. Since each of these sets contains n~ 180 /10 of the points in 
B' n G, the fraction of bad points for h in B' n G is at least rt~ 180 /30. ■ 

This is a contradiction and thus completes the proof of Lemma 15.131 ■ 



6 Reducing coGapSVP to coGapCVP' 

In this section we prove Theorem 12.31 We show how to construct a verifier V' for coGapSV Pp given a 
verifier V for coGapCVPL By using amplification J3|> we can assume without loss of generality that for 
YES instances there exists a witness such that V accepts with probability at least 1 — 2~ n and that for 
NO instances V accepts with probability less than 2~™ for any witness. Let L be the input lattice given by 
(vi, . . . ,v n ). The witness supplied to V' is supposed to be of the following form: 

|ai)|a 2 ) ■ ■ ■ !««)• 

Each \cti) is supposed to be a witness for the coGapCV Pp instance given by the lattice L, spanned by 
. . . , Vi-i, 2vi, • • • , v n ) and the target vector i>j. The verifier V applies V to each \oti) with the 
instance (Li, n). It accepts if and only if V accepted in all the calls. 

First assume that L is a YES instance to coGapSVPp. In other words, the length of the shortest vector 
is at least (3. Since Li is a sublattice of L, its shortest vector is at least j3. In addition, since for any i £ [n], 
Vi ^ Li this implies that d(vi,Li) > (3. Hence, (Li,Vi) is a YES instance of coGapCVP^ and there exists 
a witness such that V accepts it with probability at least 1 — 2~ n . Therefore, the combined witness 
\a±) . . . \a n ) is accepted by V with probability at least 1 — n2~ n . 

It is left to consider the case where L is a NO instance. In other words, if 



u = aim + 02^2 + ■ ■ • + a n v n 



denotes the shortest vector, then its length is at most 1. Notice that not all the oj's are even for otherwise 
the vector u/2 is a shorter lattice vector. Let j be such that aj is odd. Then the distance of vj from the 
lattice Lj is at most ||it|| < 1 since Vj + u £ Lj. Hence, the j'th instance of coGapCVPL is a NO instance 
and for any witness |aj), V accepts with probability at most 2~ n and so does V. 
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A Some Technical Claims 

Claim A.l For any two vectors z, z' £ M. n , 

| M (z)- M (z')l<0(||z-z'||). 



Proof: The derivative of n{a) is — 2irae 7va which is at most yj2ir/e in absolute value. Hence, for any 

a,p el, 

Ha) ~ < V^fe -\a-[3\= 0(\a - 0\). 
The claim follows since for any w £ K n , n(w) — fi(\\w\\) and \\\z\\ — \\z'\\\ < \\z — z'\\. ■ 

Claim A. 2 

J /i(z)dz — 1 

Proof: 

f ii{z)dz = [ e -*Wdz = [ e-™* e~ v <dz = ( f e~™ 2 dx) n = 1" = 1. 



Claim A. 3 

fi(z)dz > 1 - 2- n{n] 



<y/nB n 

Proof: According to Claim lA~2l it is enough to show that 

fi(z)dz < 2~ n ("). 

>\y/nB n 

Since [i depends only on the norm of z we can switch to polar coordinates and get 



DC: 



g-vrr r n-l dr < 







J y/n 






poo 


2n 


• w n 


• / e -" r 






J y/n 








2n 


• w n 








n 








w„ • 




7T 





■ „ i / n — 2 . , 



\fri 



Using Stirling's formula, 



_ W 2 ^ 1 2ne /2 

Wn ~ r(f + i) ~ yfWi { n ' ■ 



Hence, (@J| is 

n 1 ,2%ey n/0! _„„ »_i 1 1 



(_)"/2 e -wT. n f-i = . (2 7re ) n / 2 e- 7r " = 2~ n(n) . 



(4) 



7r \/7m n 7r Jim 
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B Proof of correct autocorrelation 



In this section we prove Lemma 15.51 Recall that g is defined as 



g(x)= ]T f(y)f(x + y). 

y£V(L)C\G 

The function / is periodic on the lattice L. Hence, 

g(x)= J2 f(y)f( x + y)= E f{r L {y))f{T L {y) + x). 

y£V(L)nG y£V(L)nG 

Furthermore, Tl can be seen as a bijection between V(V) H G and Vor(L) n G. Hence, the above is equal to, 

E /(»)/(» + *)■ 

y£Vor(L)nG 

When \\y\\ > 1\fn 1 f{y) = 0. Also, if \\y\\ < 2^/n, then y G Vor(L) because the shortest vector in the lattice 
is at least lOy^- Therefore, the above sum is, 

E f(y)f(y + *)- 

y€G | \\y\\<2^Ti 



Notice that for ||y|| < 2^/n, f(y) = y / fi(y)/D. Also, if f(y + x) ^ then d(y + x,L) < 2y/n and therefore 
d(x, L) < 4 v / n. Using the assumption that the shortest vector in the lattice is 10y/n, this implies that the 
closest lattice point to y + x is the same as the closest lattice point to x. In other words, TL(y + x) = y + TL(x). 
Let S (x) denote the set of all y G G such that both ||y|| and \\y + tl (x) || are at most 2^/n. Then the above 
sum is, 

jy2 E ^/^(y)^y + T L( x ))- 

yeS(x) 

For any y G S(x), /i(y) > 2~°( n K Using Claim |A~T1 we see that for any z € y + V(G), — M z )l — 

0(diam(P(G))) = 2~^™ 2 ). Hence, this translates to a multiplicative error of fi(z) = (1 ± 2 _a W)/i(j/). A 
similar argument shows that + — (1 ± 2~ sl (™))/i(y + tl{x)). By combining the two equalities and 

taking the square root, we get that for any y G S(x) and for any z G y + 'P(G), 



y/rivMv + T L (x)) = (1 ± 2- n ^)^/^z)^z + r L (x)). 
Averaging the right hand side over all z G y + "P(G), 

y/rtyMv + TLW) = (1 ± 2-°W) ^ / v/ M (zV(z + r L (x))d 2 . 

V01(^(GrJJ Jy+V(G) 

We therefore obtain the following estimation of g(x): 

(i±2-"W) -L n2 e / v^(¥(^))& 

= (1 ± 2-"W) * / vW/^ + ^O*))**- 

Vol("P(G)) • L> 2 Js(x)+V{G) 

Recall that D was chosen so that 5(0) = 1. Hence, we get that 
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Since 5(0) + V(G) contains the ball of radius yfn around the origin, 

x _ 2 -n(n) < f < f ii{z)dz < / n{z)dz = 1 

JV^B n JS(0)+V(G) 

where we used Claim 1X751 and Claim IXl2l Hence, 

1 



= 1 ± 2~ n ( n \ 



vo\(V(G)) ■ D 2 
Thus, the estimation of g[x) becomes 

(1 ± 2-"W) f ^^(z)fi{z + T L (x))dz. 

JS(x)+V{G) 

This can be further approximated by 



( 1±2 -n(»)) / y/n(z)ii(z + T L (x))dz = 

JS(x)+V(G) 

(1±2-"W) / ^(« + ri(a;)/2)/i(7t(a:)/2)(fa = 

JS{x)+V{G) 

(l±2- n (")) M (r L (x)/2) / /i(* + 7x(a;)/2)<te. 

JS(x)+V(G) 

where in the first equality we used ||z|| 2 + \\z + t l (x)\\ 2 = 2(\\z + t l (x)/2\\ 2 + ||t l (x)/2|| 2 ). 
We can now upper bound g{x) by 

(l±2- n W)/x(r i (^)/2) / v(z + T L (x)/2)dz = (l±2- n ^) f ,(r L (x)/2) [ ^{z)dz = (l±2- n ^)^T L (x)/2) 



In particular, this means that for x such that d(x, L) is greater than, say, ^/n/2, g(x) is indeed exponentially 
close to [i(tl(x)/2) = 2~ n ( n \ Therefore, it remains to consider the case d(x,L) < y/n/2. Here, ^/nB n C 
S(x) + V{G) + tl(x)/2 and therefore g(x) can be lower bounded by 

(l±2- n W)/i(7x(a;)/2) / »(z)dz > (l±2-^) M (r L (x)/2) / p(z)dz > (l±2- n ^)fi(T L (x)/2) 

JS(x)+V(G)+t l (x)/2 J^,B n 

where we used Claim IX"3l 



C Proof of Claim ICT71 

We assume by contradiction that the vectors z, z — y, z + y are good for h, that h(y) < 1 — 5rt~ 24 and that h 
is a positive definite function. Wc will derive a contradiction by using the PD condition with a 4 x 4 matrix. 

Choose k = 4 in Definition 13 . 81 and choose the origin, the vector —z, the vector z and the vector y as the 
four vectors. By the assumption that h is positive definite, and by Corollary 13. 101 the following holds: 



> 0. 



1 h[z) h(z) h(y) 

h(z) 1 h(2z) h(z + y) 

h(z) h(2z) 1 h(z-y) 

h(y) h(z + y) h(z — y) 1 

By the assumption that z, z — y, z + y are good, it follows that 

h(z) = f i(z/2) + O(n- 10Q ) 

h{2z) = n{z) + 0{n- 100 ) 

h(z + y) = f ,((z + y)/2) + O(n~ W0 ) 

h(z-y) = v((z-y)/2) + O(n- 10 °) 
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where the O(n~ 10 °) denotes an additive error whose absolute value is at most in the order of n~ 100 . 

Let z' = P y ±(z) be the projection of z on the subspace orthogonal to y. According to Claim HOI by 
replacing z with z' in the above estimations we introduce an error of at most 0(\\z — z'\\) < O(n~ wo ): 

h{z) = n(z'/2) + O(n- 10 °) 

h(2z) = ti(z') + O{n- 10 °) 

h(z + y) = f ,((z' + y)/2) + O(n- 10 °) 

h(z-y) = f ,((z'-y)/2) + O(n- 10 °) 

Let a = fi(z'/2) and (3 = fj,(z' /2)n(y/2). Then, notice that n{z') = a 4 and that fi((z' + y)/2) = 
fi((z' — y)/2) = (3 since z' and y are orthogonal. Hence, 



h(z) 


= a H 


-O(n- 10 °) 


h{2z) 


= a 4 


+ O(n- 10 ° 


h(z - y) 


= /M 


-O(n- 10 °) 


h(z + y) 


= 01 


-O(n- 10 °) 



We can replace each entry of the above determinant by its estimation. By Lemma Id. Ill all the entries 
of the determinant have an absolute value of at most one and therefore the error introduced is at most 
O{n- 1Q0 ): 



1 


a 


a 


h{y) 


a 


1 


a 4 


P 


a 


a 4 


1 


P 


Kv) 






l 



+ 0(n" luu ) > 



Let us now expand the determinant: 

1 a a h(y) 

a 1 a 4 p 

a a 4 1 (3 

h{y) (3 (3 1 

a 4 — a 2 (3 — ah(y) 
I -a 2 (3- ah{y) 
p-ah(y) P-ah(y) 1 - (h(y)) 2 

I -a 2 {a 2 -I) 2 P-ah(y) 

a 4 -I 

P-ah(y) 2(f3-ah(y)) 1 - (h(y)) 2 



a 4 -a 2 



1 a 
I -a 2 

a 4 - a 2 



a h(y) 
a 4 — a 2 (3 — ah(y) 



1 — or P — ah(y) 
P-ah(y) P-ah{y) l~(h{y)) 2 

1 - a 2 a 4 — a 2 f3 — ah(y) 
a 4 -I I - a 4 

p-ah(y) P-ah(y) 1 - (h(y)) 2 



= (1 - a 4 ) ((a 2 - 1) 2 (1 - (h(y)) 2 ) - 2((3 - ah{y)) 2 ) 



Hence. 



(1 - a 4 ) ((a 2 - 1) 2 (1 - (h(y)) 2 ) - 2(/3 - ah{y)f) + O( n - W0 ) > 0. 

From the assumption that |||z'|| — nT w \ < n~ 100 it follows that 1 — a 4 is in the order of 0(n~ 20 ). Hence, 
dividing by 1 — a which is a positive number, we get 



(a 2 - l) 2 (l - (h(y)) 2 ) - 208 - ah(y)) 2 + 0^) > 



Rearranging terms, 



((1 - a 2 ) 2 - 2{3 2 ) + 4af3 ■ h{y) - (1 + a 4 ) ■ (h(y)) 2 + O( n - S0 ) > 0. 
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From this we can obtain the following lower bound on h(y), 



, . 2a/? - ^4a 2 /3 2 + (1 + a 4 )((l - a 2 ) 2 - 2/? 2 ) + 0(n- 80 ) 
%) ^ lTa 1 ' 

We show that the term under the square root is negligible, because it is <3(n -64 ): 

4a 2 /? 2 + (l + a 4 )((l-a 2 ) 2 -2/3 2 ) + 0(n- 80 ) = (1 - a 2 ) 2 (l + a 4 - 2f3 2 ) + 0( n - 80 ) 

= (1 - a 2 ) 2 ((1 - a 2 ) 2 + 2(a - /?)(a + /?)) + 0(n- 80 ). 

The term 1 — a 2 is of the order 0(n~ 20 ), the term a + (3 is at most 2 and the term a — (3 equals ^(,z'/2)(l - 
My/2)) < 1 — M(j//2) which is of the order 0(n~ 24 ). Hence, the above expression is of the order 0(n~ 64 
After taking the square root it is of the order 0(n~ 32 ). We therefore get: 



%)> T ^ + 0(n- 32 ) = -^.^-K,» *M. 
1 + a 4 1 + a a 

We have 



T ^ I = l-0((a-l) 2 ) = l + 0(n- 40 ), 

where we used the Taylor series expansion of the left hand side around 1. 
Also, (3 /a = fj,(y/2) > 1 - urT 24 + 0( n - 48 ). Hence, 

h(y) > 1 - irn- 24 + 0{n- 32 ) 

which contradicts the assumption that h(y) < 1 — 5n~ 24 . 
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